EH-Net members are invited to keep the conversation going with Kevin Johnson, Josh Wright and Ed Skoudis from InGuardians. These 3 security experts will be with us for about a week (depending on their time constraints) after each webcast to answer your questions. We will also post the links to webcasts as they become available.

Hope you enjoyed the webcast. Feel free to ask questions here that may not have been answered due to time constraints of the live venue. Also, if you want others to benefit from your live question or have Ed, Kevin or Josh expand further, asking the same question is also allowed.

Thanks for visiting EH-Net,Don

Last edited by don on Tue Mar 24, 2009 1:24 pm, edited 1 time in total.

You mentioned off-hand during the 'Ghost in the AP' portion of the webcast, that cloaking or hiding SSIDs should not be done any more. Now I've heard this explanation before, but you do it much better than I do. So could you quickly recap why it is now a common practice not to cloak, even though it had been the way of the world for quite some time?

vijay2 wrote:I guess this question is not particularly related to this WebCast, but maybe Kevin or Ed point me to some decent documentation for BeEF. Just looking for background info, setup and workings.

Thanks

VJ

I am not sure of any "good" documentation other then the bit on the bindshell.net web site. It has a bit of information. You can also find some postings on various blogs around the internet.

don wrote:You mentioned off-hand during the 'Ghost in the AP' portion of the webcast, that cloaking or hiding SSIDs should not be done any more. Now I've heard this explanation before, but you do it much better than I do. So could you quickly recap why it is now a common practice not to cloak, even though it had been the way of the world for quite some time?

The problem with SSID cloaking is that you force your client systems to constantly ask every AP they see "Are you my mother?" (queue the Dr. Seuss book ... SNORT!) If you cloak the SSID of your work AP and the user is stuck in Terminal C of O'Hare Airport*, they are constantly sending out probe requests with the cloaked SSID.

A friend made the analogy to a military officer. The officer is lost, and he is looking for his military base. He asks everyplace he sees "Are you my military base?", "Are you?" Eventually, someone will say "yes", which we otherwise would call Karmetasploit (http://trac.metasploit.com/wiki/Karmetasploit).

Other reasons SSID cloaking doesn't make sense:

1. It provides no security. As any Kismet user will tell you, watching a legitimate user login to the AP discloses the SSID.2. It leads to user confusion. Users who can't find their wireless network are 18 times as prone to click on "Free Public WiFi" or any other nonsense SSID they come across (I read that statistic in the Journal of Clinical Neuroscience).3. Users call your helpdesk more. If they need special shared information about the SSID, they are going to call your helpdesk all that much more. I found it was better to make friends with the helpdesk people than ... enemies.

I wrote a short article about this topic a few years ago for Network World which states similar points with more penache than I can muster at the moment:

* The best place to eat in O'Hare Airport is a take-out place in the K concourse called "Burrito Beach". You'll thank me for it. If you know of a place in the C concourse where there are more than a handful of working electrical outlets for public use, please let me know and I think kindly of you often!